Keeping a Crowd Safe On the Complexity of Parameterized Verification Javier Esparza Technical University of Munich.

Slides:



Advertisements
Similar presentations
The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Advertisements

Complexity. P=NP? Who knows? Who cares? Lets revisit some questions from last time – How many pairwise comparisons do I need to do to check if a sequence.
Siddharth Srivastava, Shlomo Zilberstein, Neil Immerman University of Massachusetts Amherst Hector Geffner Universitat Pompeu Fabra.
Eager Markov Chains Parosh Aziz Abdulla Noomene Ben Henda Richard Mayr Sven Sandberg TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
CS 345: Chapter 9 Algorithmic Universality and Its Robustness
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Consensus Steve Ko Computer Sciences and Engineering University at Buffalo.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Distributed Markov Chains P S Thiagarajan School of Computing, National University of Singapore Joint work with Madhavan Mukund, Sumit K Jha and Ratul.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
UPPAAL Introduction Chien-Liang Chen.
Snap-stabilizing Committee Coordination Borzoo Bonakdarpour Stephane Devismes Franck Petit IEEE International Parallel and Distributed Processing Symposium.
Chapter 15 Basic Asynchronous Network Algorithms
Timed Automata.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
From Monotonic Transition Systems to Monotonic Games Parosh Aziz Abdulla Uppsala University.
Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.
Regular Model Checking Parosh Aziz Abdulla Uppsala University Cooperation with B. Jonsson, M. Nilsson, J. d’Orso.
Efficient Parallel Algorithms COMP308
Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Nathan Brunelle Department of Computer Science University of Virginia Theory of Computation CS3102 – Spring 2014 A tale.
Discrete Structures & Algorithms The P vs. NP Question EECE 320.
Verification of Parameterized Timed Systems Parosh Aziz Abdulla Uppsala University Johann Deneux Pritha Mahata Aletta Nylen.
1 Complexity of Network Synchronization Raeda Naamnieh.
Slide 1 Parallel Computation Models Lecture 3 Lecture 4.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
FORMAL LANGUAGES, AUTOMATA AND COMPUTABILITY Read sections 7.1 – 7.3 of the book for next time.
Humans, Computers, and Computational Complexity J. Winters Brock Nathan Kaplan Jason Thompson.
1/25 Context-Bounded Analysis of Concurrent Queue Systems Gennaro Parlato University of Illinois at Urbana-Champaign Università degli Studi di Salerno.
NP-complete and NP-hard problems
1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.
1 Decidability continued. 2 Undecidable Problems Halting Problem: Does machine halt on input ? State-entry Problem: Does machine enter state halt on input.
Algorithmic Problems in Algebraic Structures Undecidability Paul Bell Supervisor: Dr. Igor Potapov Department of Computer Science
ESE601: Hybrid Systems Introduction to verification Spring 2006.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
1 Reducibility. 2 Problem is reduced to problem If we can solve problem then we can solve problem.
The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.
Election Algorithms and Distributed Processing Section 6.5.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila
Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili.
Selected topics in distributed computing Shmuel Zaks
A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University.
Lecture #12 Distributed Algorithms (I) CS492 Special Topics in Computer Science: Distributed Algorithms and Systems.
Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
1 The Theory of NP-Completeness 2 Cook ’ s Theorem (1971) Prof. Cook Toronto U. Receiving Turing Award (1982) Discussing difficult problems: worst case.
CSE373: Data Structures & Algorithms Lecture 22: The P vs. NP question, NP-Completeness Lauren Milne Summer 2015.
May University of Glasgow Generalising Feature Interactions in Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow.
Verification & Validation By: Amir Masoud Gharehbaghi
1 Distributed BDD-based Model Checking Orna Grumberg Technion, Israel Joint work with Tamir Heyman, Nili Ifergan, and Assaf Schuster CAV00, FMCAD00, CAV01,
1 CSE 326: Data Structures: Graphs Lecture 24: Friday, March 7 th, 2003.
CSCI 2670 Introduction to Theory of Computing October 13, 2005.
Parosh Aziz Abdulla 1, Mohamed Faouzi Atig 1, Zeinab Ganjei 2, Ahmed Rezine 2 and Yunyun Zhu 1 1. Uppsala University, Sweden 2. Linköping University, Sweden.
Fault tolerance and related issues in distributed computing Shmuel Zaks GSSI - Feb
1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.
Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.
Fault tolerance and related issues in distributed computing Shmuel Zaks GSSI - Feb
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
CIS 825 Review session. P1: Assume that processes are arranged in a ring topology. Consider the following modification of the Lamport’s mutual exclusion.
Model Checking Lecture 1: Specification Tom Henzinger.
Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Intro to Theory of Computation
Over-Approximating Boolean Programs with Unbounded Thread Creation
Algorithms for Extracting Timeliness Graphs
Presentation transcript:

Keeping a Crowd Safe On the Complexity of Parameterized Verification Javier Esparza Technical University of Munich

Wilfried Brauer ( ) Book of condolence:

„Why don´t you give up?“ Theorem (Alan Turing, 1936) Program termination is undecidable. Theorem (Henry G. Rice, 1961) Every non-trivial property of programs is undecidable. Theorem (Marvin Minsky, 1969) Every non-trivial property of while- programs with two counter variables is undecidable.

„Why don´t you give up?“ Theorem (Alan Turing, 1936) Program termination is undecidable. Theorem (Henry G. Rice, 1961) Every non-trivial property of programs is undecidable. Theorem (Marvin Minsky, 1969) Every non-trivial property of while- programs with two counter variables is undecidable.

„Why don´t you give up?“ Theorem (Alan Turing, 1936) Program termination is undecidable. Theorem (Henry G. Rice, 1961) Every non-trivial property of programs is undecidable. Theorem (Marvin Minsky, 1969) Every non-trivial property of while- programs with two counter variables is undecidable.

Because … Undecidability requires some source of „infinity“: – Variables with an infinite range – Dynamic data structures (lists, trees) – Unbounded recursion Concurrent systems – are difficult to get right, and – often have a finite state space.

Dijkstra´s Mutual Exclusion Algorithm CC CACM 8:9, 1965

Concurrent programs are often finite-state CC

Concurrent programs are often finite-state CC Only two boolean variables per process!

Concurrent programs are difficult to get right CC CACM 9:1, 1966

Concurrent programs are difficult to get right CC

A Leader Election Algorithm (90s)

A Cache-Coherence Protocol (00s) Source: Wikipedia Murphi model checker (Dill et al.)

A Model of a Bluetooth Driver (10s) KISS (Qadeer and Wu)

Parameterized Verification Model-checking tools can only check instances of these systems for particular values of the number N of processes. Can we prove correctness for every N ? Amounts to checking an infinite family of finite- state systems.

Parameterized Verification Model-checking tools can only check instances of these systems for particular values of the number N of processes. Can we prove correctness for every N ? Amounts to checking an infinite family of finite- state systems.

Keeping a Crowd Safe

Parameterized Verification: Give up? Theorem (folklore): The Halting Problem can be reduced to the parameterized coverability problem.

Parameterized Verification: Give up? Theorem (folklore): The Halting Problem can be reduced to the parameterized coverability problem.

Parameterized Verification: Give up? Theorem (folklore): The Halting Problem can be reduced to the parameterized coverability problem. Parameterized verification is doomed!

Identities

Anonymous Crowds We investigate the decidability and complexity of the coverability problem for crowds in which (1)every process executes exactly the same code, (anonymous crowds), and (2)the number of processes is unknown to the processes.

Keeping an Anonymous Crowd Safe

Communication Mechanisms Reliable broadcast – A process sends a message – All other processes receive the message (instantaneously) Rendez-vous – Synchronous exchange of a message between two processes

Communication Mechanisms Reliable broadcast – A process sends a message – All other processes receive the message (instantaneously) Rendez-vous – Synchronous exchange of a message between two processes

Shared memory, no locking  Concurrent reads and writes allowed  Interleaving semantics Communication Mechanisms Shared memory with locking – Processes compete for a lock – Process owning the lock can perform reads and writes

Communication Mechanisms Shared memory with locking – Processes compete for a lock – Process owning the lock can perform reads and writes Shared memory, no locking  Concurrent reads and writes allowed  Interleaving semantics

High or Low Complexity? Verifiers want low complexity

High or Low Complexity? Verifiers want low complexity „ Crowd designers“ (swarm intelligence, population protocols, crowdsourcing) want high complexity

Reliable broadcast Theorem [E., Finkel, Mayr 99] The coverability problem for broadcast protocols is decidable. Informally: Anonymous crowds are not Turing powerful Straightforward application of the backwards reachability algorithm by Abdulla et al., based on the theory of well-quasi-orders.

Reliable broadcast A configuration of the system is completely determined by the number of processes in each state. (No identities)

Reliable broadcast A configuration of the system is completely determined by the number of processes in each state. (No identities)

Reliable broadcast

Love it!

Reliable broadcast: Complexity Theorem (Schmitz and Schnoebelen 13) The coverability problem for broadcast protocols has non-primitive-recursive complexity.

Reliable broadcast: Complexity Theorem (Schmitz and Schnoebelen 2013) The coverability problem for broadcast protocols has non-primitive-recursive complexity.

Reliable broadcast: Complexity Theorem (Schmitz and Schnoebelen 13) The coverability problem for broadcast protocols has non-primitive-recursive complexity. Put that in your pipe and smoke it, Sherlock!

Reliable broadcast: Complexity Theorem (Schmitz and Schnoebelen 13) The coverability problem for broadcast protocols has non-primitive-recursive complexity. G. Delzanno Don‘t despair, Sherlock! Backwards reachability is useful for verification! I‘ve used it to prove properties of a dozen cache-coherence protocols: their templates have under 10 states!

Shared memory with locking Two essential properties of reliable broadcast: (1)Everybody receives every message (2)The crowd can produce a leader Shared memory with locking  Can still produce a leader  Can only guarantee that somebody receives a message

Shared memory with locking Theorem: The coverability problem for systems communicating through a global store with locking is EXSPACE-complete.

Shared memory with locking Lower bound [Lipton 1976]

Shared memory with locking Lower bound [Lipton 1976] Upper bound [Rackoff 1978]:

Shared memory with locking Upper bound [Rackoff 1978]: Unfortunately, for us verifiers this upper bound is algorithmically useless …

Shared memory with locking Theorem [Bozzelli, Ganty 2012]: Symbolic backwards reachability runs in double exponential time for global store with locking.

Shared memory with locking Theorem [Bozzelli, Ganty 2012]: Symbolic backwards reachability runs in double exponential time for global store with locking. Love it! But backwards algorithms often generate too many unreachable states! Cant´t you come up with a forward exploration algorithm?

Shared memory with locking

Don´t love it!

Shared memory with locking

Rendez-Vous Recall: Shared memory with locking  can produce a leader, and  guarantees that somebody receives a message The rendez-vous mechanism  guarantees that somebody receives a message, but  cannot produce a leader

Rendez-Vous

Shared memory without locking Theorem The coverability problem for systems communicating by rendez-vous whose initial configuration has a leader is EXPSPACE-complete.

Shared memory, no locking Locking is difficult to implement and potentially dangerous for many networked systems with dynamic membership – Vehicular networks – Ad-hoc networks

Shared memory, no locking Recall: The rendez-vous mechanism  guarantees that somebody receives a message, but  cannot produce a leader Shared memory without locking  cannot produce a leader and  cannot guarantee that somebody receives a message (overwrites)

Shared memory, no locking Theorem [E.,Ganty, Majumdar 2013, E. 2014] The coverability problem for shared memory without locking and a symmetric initial configuration is polynomial. If the initial configuration has a leader then the problem is NP-complete.

Shared memory, no locking Theorem [E.,Ganty, Majumdar 2013, E. 2014] The coverability problem for shared memory without locking and a symmetric initial configuration is polynomial. If the initial configuration has a leader then the problem is NP-complete. Love it! Piece of cake for our SMT-solvers …

Shared memory without locking Theorem [E.,Ganty, Majumdar 2013] The problem remains NP-complete if the template is a polytime Turing machine

Shared memory without locking Theorem [E.,Ganty, Majumdar 2013] The problem remains NP-complete if the template is a polytime Turing machine Not good! This means we cannot distribute an exponentially long computation onto exponentially many machines so that each machine only does polynomial work.

Summary

Further work and open questions Termination

Further work and open questions Termination Temporal logics

Further work and open questions Termination Temporal logics Implementations

Further work and open questions Termination Temporal logics Implementations And if the processes know N?

That´s all!

Shared memory with locking Theorem [Bozzelli, Ganty 12]: Symbolic backwards reachability runs in double exponential time for global store with locking. Are you ever happy?

A Carry-Look-Ahead 4-Bit-Adder

LeafCell NodeCell RootCell  Circuit

Identities

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.